5/05/2020

As you can see from my blog and tweet, I recently full-change(new project...) my XSpear and created an XSS Scanning tool called DalFox. Today, I'm going to share some tips for using DalFox.
제 블로그나 트윗을 본다면 알겠지만, 최근 XSpear를 갈아엎고 DalFox라는 XSS Scanning 도구를 만들었습니다.

오늘은 DalFox를 사용할 떄 참고할만한 팁 몇가지를 공유하려고 합니다.

Usage of DalFox

Dalfox has many options. Use it appropriately according to your situation and needs!

Case study1 - Using pipelining

Many Bounty Hunters want to automate their work processes and easily find vulnerabilities. I'm also of the same class, and to make it a little easier, DalFox was basically developed considering Pipeline. Until now, we are going to support 3 types of scan modes ('url', 'file' and 'pipe') and support a slightly unique type of scan mode for Stored XSS in the future.

file Use file mode(targets list or rawdata)
pipe Use pipeline mode
url Use single target mode

First of all, url and file are options that use a from other tools, so I'll talk about only pipe lightly.
우선 url이나 file은 다른 도구도 많이 사용하는 옵션이니 pipe에 대해서 가볍게 이야기해보겠습니다.

When you operate DalFox in pipe mode, the basic input is set to stdin . So you can get the input value through the pipeline from other tools. The format of the input value used here is an url list divided based on the opening letter, which is the same as the file option.

One thing I want to talk about here is the number of walkers. As you already know, gallang has high concurrency and very fast speed due to the goroutine and gochannel. DalFox basically generates and tests 40 workers, and pipelines can have a lot of input, which is extremely rare, but can also occupy the maximum number of sockets per process supported by the OS. So I think we need to adjust the walker of the right line.
(Of course, it is okay to use the default or more for fewer targets or single scans)

Case study2 - Notify slack using --found-action option

The second is the '--found-action' option. This option allows you to specify commands to perform immediately if they are selected during scanning or detected in the Verify DOM logic. There are many cases, but notify is representative.

Case study3 - Grepping custom pattern

The third option is Grepping, '--grep'. To begin with, the purpose of creating this option is that the XSS scanning tool is intended for XSS detection, but it can actually be useful in finding other vulnerabilities. So I thought it would be nice to provide the user with a custom response grab, so I made this function.

Basically, SSTI and some patterns (SSL Private key detection, etc.) are included as built-in. In addition, you can refer to external pattern json in the form of '--grep=JSON_FILE'. I'll just scan the hackone report page included S3 address for example.

Conclusion

I think there are still a lot of functions that are lacking, and there are a lot of functions that need to be added. Obviously, it's better than the XSpear I made before, so I thought it would be a little bit helpful for your happy bugbounty life. Use it well and additional functional comments and bug reports are always welcome!